EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

Transcription

1

2 EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE A reliable, high-performance network is critical to your IT infrastructure and organization. Equally important to network performance is network security. In addition to all your network monitoring and problemresolution efforts, you are also tasked with collecting and sifting through log data and analyzing the root cause of security-related issues. On top of that, you need to make sure your IT security methods adhere to federal regulations and can pass a compliance audit. Network performance and security is a lot to oversee, and many critical pieces can slip through the cracks. The best way to approach your network security tasks is to create a plan and checklist to make sure you don t overlook an important task or information. This ebook provides some tips and guidelines for these security processes: LOG MANAGEMENT ROOT CAUSE ANALYSIS COMPLIANCE

3 BEST PRACTICES FOR LOG MANAGEMENT Everyone knows how critical log collection is to a secure network. But does everyone know how to create a log collection plan and determine what is needed from the log data collected? Probably not. And it doesn t matter if you re a dedicated Security Engineer, a Network Architect, or a System Admin, collecting logs is a crucial part of any successful security strategy.

4 HOW WILL LOG COLLECTION AND STORAGE IMPACT YOUR SYSTEM RESOURCES? Whether it s a free Syslog Server you spin up on a Linux VM or a full-blown log management solution, you will need to provide system resources (i.e. memory, CPU, and storage). Storage is almost always the most expensive resource. Make sure you have a detailed understanding of how your logging solution interacts with your storage resources and whether there is any compression that is either configurable or automated. Memory and CPU will take the next hit. Real-time collection tends to use more sustained memory and CPU. The amounts vary based on volume because log collection and storage occur simultaneously. Review your documentation to understand the impact logging will have on your devices, servers, and applications once it s enabled. DO YOU HAVE ANY SPECIFIC REQUIREMENTS FOR LOGGING? LOG MANAGEMENT LOG MANAGEMENT REALLY BOILS DOWN REALLY BOILS DOWN TO ONE QUESTION: TO ONE QUESTION: WHICH LOGS SHOULD WHICH LOGS SHOULD YOU COLLECT? YOU COLLECT? To answer this question, here are some questions we recommend asking as well as other best practice recommendations Compliance regulations usually drive this conversation; however, you may also have specific internal requirements for legal or security purposes. Either way, a detailed understanding of all your requirements helps you collect the right information from the As mentioned in the previous suggestion, the amount of log information generated by your different devices, operating systems, and applications can be enormous. So, along with determining the actual requirements for which logs you need to collect, it is important to understand how each different system generates logs. For example, Windows operating systems offer a detailed audit configuration that allows you to be right devices. For example: PCI provides some detail on what should be collected from your audit logs. See page 56 of the Payment Card Industry (PCI) Data Security Standard document for a complete list of details. DO YOU UNDERSTAND WHAT INFORMATION YOUR SYSTEMS LOG, AND HOW? selective about which logs are generated (i.e. logons/ logoffs, privileged use, system events, and others). Additionally, you can choose whether to use successful or failed events, which allows you to take a more granular approach to log configuration.

5 SCHEDULE AND SECURE ARCHIVES. Logs contain tons of useful Logs contain tons of useful information. When collected information. When collected properly, they can help you properly, they can help you improve security and quickly improve security and quickly resolve network and systems resolve network and systems issues. Creating a logging issues. Creating a logging plan before you set up your plan before you set up your log collection process can be log collection process can be the difference between long the difference between long hours of digging through hours of digging through useless data and quickly useless data and quickly finding what you need. finding what you need. Data compression rates have grown significantly over the years, allowing for longer time frames for available data. However, archiving logs is still a critical function of log management. Before you schedule archives, make sure you understand the compression ratio of the archive. This will be especially important as your log store grows compared to the amount of your available archive space. Become familiar with how your log management system archives data (i.e. by device? entire database? specific logs?). Understanding the available methods of archiving saves you time, and more importantly, storage space. Secure your archives, even if it s not a regulatory requirement. You can secure active or available data by requiring some authenticated access. This is also a good practice to prevent any changes to the data. At a minimum, you should encrypt historical archives. Any additional security measures, like signing, are an added benefit. go on to the next section... go on to the next section...

6

7 SOMETIMES LESS IS MORE. When you look into your log management or SIEM technology, sometimes it s better to start with a single key word, IP address, or username for a specific timeframe rather than a specific detailed search. This kind of simple search may provide insight into activity from other devices which can help you back track and find out where the event originated. Pay attention to large amounts of certain events like errors, access failures, file activity, and change events that contain the same username, IP address, or both. Also, look for changes by the same user or source IP across multiple systems. VISUALIZE YOUR DATA. Root cause analysis (RCA) is probably the most critical function in security outside of maintaining a secure and compliant network. Anytime a security event has been detected or even perceived you are tasked with discovering the origin or cause. Here are some best Visualize your data. Visualizing data is a way to identify trends in the information flow. A large spike of a single event or a sustained amount of events over a period of time CORRELATE DATA FROM DIFFERENT DEVICES TO IDENTIFY SECURITY EVENTS. Correlation of log data across different devices, systems, and applications adds another layer of security monitoring and may reveal security issues outside of the radar. For example, correlating a spike in outbound logs not sourcing from your internal server is a good indication of malware. usually signifies an anomaly. Visualization can also help you quickly identify a time frame to start your investigation. Finally, if you are using a SIEM or log management product, you can typically build dashboards based on various criteria like network traffic, authentication, file, and change events. Advanced Persistent Attacks (APTs) can be hard to detect. However, if you re investigating logs you can look for random software installs correlated with outbound FTP traffic logs from your firewall within the same time frame as an attack. practices to help you get the most out of root cause analysis.

8 ESTABLISH TEMPLATES TO SUPPORT INCIDENT RESPONSE. RCA and incident response are different functions, but they rely on each other. Determine what a response team, legal, or your leadership will require from the data (i.e. IP address, port, username etc.), then create Standard Operational Procedures (SOPs) and templates for general and specific situations. Regardless of who is present when an event occurs, everyone needs to be clear about what information is critical and who to contact. Hopefully, you find these suggestions helpful. Sometimes in the heat of the moment it is best to stop and go back to the basics.

9 Have you ever had the pleasure of grinding through compliance audits? If not, don t think you never will.

10 DOCUMENT, DOCUMENT, DOCUMENT!!! Documentation is hands down the most tedious part of preparing for an audit. It s also the most neglected. Thorough documentation will serve you well, even long after passing an audit. If you have been tasked with securing the network and preparing for audits, organizing and documenting your policies and procedures for EVERYTHING is critical. Always approach documentation with a mindset of If I am not here, can anyone follow these procedures?" Finally, always remember that an audit is an on-going process. Always keep your information current by scheduling time to review and revise your documentation throughout the year. CLEARLY UNDERSTAND YOUR COMPLIANCE REQUIREMENTS AND DON T SKIP ANYTHING. Every regulated industry is different. Understanding what is required for your particular industry can be a challenge. Some compliance requirements are clearly defined while others provide only vague details. Make sure you know what specifics your industry requires. IDENTIFY DEVICES. Now that you have everything documented and a clear understanding of your requirements, identify which network devices, systems, and applications must be monitored for compliance. The sooner you accomplish this, the better. It is especially important if you are ID deploying a SIEM or Log Management solution. These may require additional applications to collect logs. One recommendation is when communicating with different department heads to identify devices, assign a dollar value to the risks of non-compliance. This will help you identify and properly document all the necessary devices.

11 AUTOMATE WHEREVER POSSIBLE. When collecting audit trails, you will quickly see that the data volume is immense and seemingly impossible to review. Automation can help simplify things. Develop or configure automated reporting and scheduled reports that are specific to your compliance requirements. Also, leverage any real-time/near real-time alerting and notification functionality. Most of today's Log Management solutions provide some form of alerts or notifications, which is a good compliance audit best practice because it proves that you are "actively reviewing" your logs. REVIEW POLICIES AND PROCEDURES. If you consistently review your procedures and compare them with the most updated requirements, you should always be prepared for an audit. At a minimum, we strongly recommend quarterly reviews monthly is ideal. Meeting compliance regulations can be challenging when it comes to collecting the necessary audit trails. Hopefully, these suggestions give you some ideas or jog your memory and motivate you to start that compliance review!

12 To learn more about SolarWinds Log and Event Manager please visit: SolarWinds Worlwide, LLC. All rights reserved.